MaxPatrol SIEM

Detects cyberincidents that undermine cyber resilience of a company

T1560.002: Archive via Library

An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party libraries. Many libraries exist that can archive data, including Python rarfile , libzip , and zlib . Most libraries include functionality to encrypt and/or compress data.

Some archival libraries are preinstalled on systems, such as bzip2 on macOS and Linux, and zip on Windows. Note that the libraries are different from the utilities. The libraries can be linked against when compiling, while the utilities require spawning a subshell, or a similar execution mechanism.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

mitre_attck_collection: PT-CR-661: Data_Compression: A user archived data using a utility or PowerShell cmdlet

Detection

IDDS0012Data source and componentScript: Script ExecutionDescription

Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.

IDDS0022Data source and componentFile: File CreationDescription

Monitor newly constructed files being written with extensions and/or headers associated with compressed or encrypted file types. Detection efforts may focus on follow-on exfiltration activity, where compressed or encrypted files can be detected in transit with a network intrusion detection or data loss prevention system analyzing file headers.